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A CRYPTOGRAPHIC METHOD 

5 Hie present invention relates to cryptology and, in particular, to a cryptographic 

method which can be used for public key encryption and to produce digital signatures. 

Cryptographic techniques have become of significant practical importance in the 
area of digital communications, particularly with the increasing prevalence of digital 

10 telecommunications networks. Development has concentrated on schemes which allow 
message data, often referred to as plaintext, to be encrypted using a key which is 
available to the public, to produce ciphertext which can only be decrypted using a secret 
key that is related to the public key but which cannot be derived therefirom. Schemes of 
this nature were first discussed in W. Diffie and M.E Hellman, "New Directions in 

15 Cryptography", BEEE Transactions on Information Theory, Vol. 22, No. 6, 1976, 
pp. 644-654, and the first practical implementation was proposed in R.L. Rivest, 
A. Shamir and L Adleman, "A Method for Obtaining Digital Signatures and Public-Key 
Cryptosystems", Communications of the ACM, Vol. 21, No. 2, 1978, pp. 120-126, and 
is known as RSA. The schemes can also be used to produce digital signatures, where the 

20 plaintext can be signed by encrypting with the secret key, and then read using the public 
key. 

The cryptographic operations performed on the cipheitext and plaintext are best 
described and defined using mathematical formula and symbols that depict the 

25 cryptographic process as being a sequence of mathematical operations on the numerical 
value represented by the bits of the data forming the plaintext or ciphertext RSA, for 
example, involves a sequence of operations which are performed in modulo n arithmetic, 
where n is part of the public key and is the product of two large primes p and q, that 
constitute the secret key. The security of RSA relies primarily on the difficulty of 

30 factoring the composite number n. Although relatively secure and simple to implement, 
RSA is susceptible to homomorphic attack, where valid digital signatures can be produced 
from the combination of previously signed messages that have been recorded. 
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Hliptic curves over finite fields have also been found to be applicable to 
cryptology wherelhe points on a curve can form a group and where an initial point can 
be used to derive other points in the group in a cyclical manner until the initial point of 
the curve is obtained again. The plaintext can be made a coordinate of a point on an 
5 elliptic curve and encrypted by performing the operations on the point to move it to 
another point within the group. The message can only be retrieved by knowing the 
cbaraaeristics of the curve and the order of the group to which the plaintext belongs 
Tie elliptic curve operations are also performed modulo n, where n is the product of two 
large primes p and q. The first elliptic curve based scheme which is analogous to RSA 
10 is proposed in K. Koyama, U.M. Maurer, T. Okamoto and SA Vanstone, "New 
Public-Key Schemes based on Elliptic Curves over the Ring Zn", CRYPTO '91 
Abstracts, Santa Barbara, CA, pp. 6-1 to 6-7, 11-15 August, 1991. The paper 
essentially describes two schemes, discussed hereinafter, which can be used for the same 
apphcations as RSA, one can only be used to produce digital signatures, while the second 
15 scheme can also be used for public key encryption. The latter scheme, however is 
lestncted in the types of primes, p and q, and the types of elliptic curves which can'be 
used, and a second coordinate needs to be transmitted with the ciphertext to enable 
decrypt™. The first scheme has the disadvantages that the digital signatures are roughly 
twice as long as the message or plaintext and that trial and error is required to locate a 
20 point on the elliptic curve corresponding to a plaintext, which involves incrementing the 
value x of the plaintext. 



25 



30 



In accordance with the present invention there is provided a cryptographic method 
including: 

selecting secret keys p and q, being prime numbers greater than 3; 

selecting public parameters for a series of data values which belong to one of a 
Plurahty of pahs of groups whereby any one of said data values in one of said pairs of 
groups is recovered by performing an operation kN i + 1 times modulo n beginning with 
-id any one of said data values, where k is an integer, N. is the onier of the ith pah of 
groups and n = p.q; 

selecting a public encryption key e which is a factor of kN, + 1 for all i; and 
communications data as a member of one of said pahs of groups by 
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performing said operation on said communications data, whereby the order Nj of the pair 
of groups i that said communications data belongs to can be determined on the basis of 
p and q, and a secret decryption key dj can be determined using e.dj = kN, + 1. 

5 A preferred embodiment of the present invention is hereinafter described, by way 

of example only, with reference to the accompanying drawing, wherein: 

Figure 1 is a diagram of an elliptic curve used in a preferred embodiment of a 
cryptographic method 

10 The preferred embodiment involves operations based on the elliptic curve 

y 2 = x 3 + ax + b (1) 
where a and b are constants chosen so that 

4a 3 + 27b # 0 (2) 
which ensures that the cubic equation 

z ■ x s + ax +b O) 

has three distinct roots. The graph of the curve is as shown in Figure 1 if Equation 1 has 
three real roots. The curve has the property that if a non-vertical line 2 intersects it at 
15 two rational points (x^yj) and (x,^ then a third rational point of intersection (x^ will 
exist. A tangent 3 to the curve is considered to have a double point of intersection (x^yj 
at the point of tangency. If two points (x l9 yj and (x^ are known then the third point 
of intersection (x^ can be obtained by the following 

x, = X 2 - x, - x, (4) 
y 3 = X x (X3 - Xj) + yi (5) 

where if x, * x 2 then 
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- 4 - 



2* 



(7) 



X being the slope of the line connecting the points. 

Using the curve an "addition' operation can be defined where 

(Wi) + (Wa) * (*p-YJ (8) 

5 The sum of the two fotersecting points does not give the third intersection point but in 
fact gives the reflection across the x-axis of the third intersection point (x 3 ,y 3 ), as shown 
m figure 1. To form a group of points for which every straight line which intersects the 
curve at two points also intersects at a third, an identity » * defined for the addition 
operation 

* (x,-y) = (x,-y) + fcy) , „ (9) 

10 The point » can be though of as a point infinitely distant from the curve so that every 
vertical line passes through the point. 

EW» can be used to denote the group of rational points on the curve for a given 
a,b, including the point ». Rational points can be derived from one another using the 
15 addition operation. 

The above arithmetic operations also apply if performed modulo p where p is a 
prune number larger than 3 and a and b are integers chosen such that 

4a 3 + 27b* • 0 (mod p) (10) 

W>) can then be used to denote an elliptic curve group modulo p having elements (x y) 
20 which are pairs of non-negative integers less than p which satisfy 
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y* s x' + ax + b (mod p) 



(11) 



Hie group includes the identity oo, and the points in the group can be derived from 
one another using the addition operation. The modulo p curve of Equation 11 would of 
course be a discontinuous form of that illustrated in Figure 1. A third point on the curve, 
R = fetfa)* can be derived by adding two other points of the group, P = (x„yj) and Q 
~ ( x 2> v 2)> using the following 



Xj a X 2 - Xj - ij (mod p) 



(12) 



where 



y, * X(x, - Xj) - y, (mod p) 



(13) 



10 



A. — 



7i -y 2 

3xf + a 

2y, 



if x, * Xj (mod p) 
if x, s ^ and y, • -y 2 (mod p) 



(14) 



The identity element is defined such that if x, ■ x 2 and y, - -y 2 (mod p), then P 
+ Q = oe, i.e., P = -Q or (x^-yj) ■ -(Xj.yj) (mod p). The - symbol before a point in the 
group denotes the inverse of that point. 

A point can be added to itself using the addition operation a number of times, i, 
to produce other points in the group. This is denoted as 



(Wj) ~ W ffi C«od p) 



(15) 



where (x^y^ is the ith point derived from the point (x„y,). The # operation is 
often referred to as multiplication, i.e., the point (x^ is the result of multiplying the 
15 point (x„y,) by i. Efficient methods, as discussed hereinafter, are available to perform 
this multiplication, for large values of i, by performing a chain of addition operations on 
ascending pairs of points in the group. 



For example, (x^yj) can be obtained by treating (x„y,) as a double point or point 
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tangency and adding it onto itself. Tie, M can be obtained by adding M onto 
"self, and M can be obtained by adding M onto M and (x^yj can be 
obtained by adding (x 3 , y3 ) onto (x^ and so on. 



5 



25 



If i equals the order of the group, the resulting point is the identity, m. If i is one 
more than the oxder of the group the resulting point is the original point (x^yj, i.c, the 
group has the property that P + oo = oo + p = p. 

The elliptic curve cryptographic method relies on knowing the order of or number 
10 of points in E>(a,b). lUe order can be evaluated by observing that for a given value of 
x, if x 3 + ax + b is a quadratic residue, i.e., possesses a square root modulo p, then there 
are two values of y that correspond to x, if x* + ax + b is divisible by p, then there is 
only one value of y that corresponds to that x, and otherwise there are no values of y that 
correspond to that x. Taking also into account the point at the order of the group 
15 denoted |E,j(a,b)| N„ is given by: * 

N p = |E p (ta»i = i + £|ij + 1 j (16) 

where(z| P )ismeI.gendresymbolandz.x3 + ax + b(modp). The Legendre symbol 
is an operation performed using modulo arithmetic, in this case modulo p, to determine 
whether a number, in this case z, possesses a quadratic residue or not. Tne operation 
produces the value of * 1 or 0, 1 if the number is a quadratic residue, -1 if ft * a 
quadratic non-residue and 0 if it is divisible by the modulus, p. 

As an example, if p = 5, and a = b = -1, the points of Ej (-1,-1) must satisfy 
y 2 s x 3 - x - 1 (mod 5) (17) 

5. The elements of the group are 

0-?>. (u). m W) , 
** (IA cut, «d 



20 
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K fritfi) = (0,2), then 
(Wa) = (0,2) + (0,2) 



20 



= (U); 

= (1,2) + (0,2) 



= (4,3); 
10 (x 4 ,y 4 ) = (4,3) + (0,2) 



= (2,0); 

feys) = (2,0) + (0,2) 

15 

= (4,2); 

Owr«) = (4,2) + (0,2) 



25 



= (W); 

(^7) = (1.3) + (0,2) 



= (0,3); 
Cx^ya) = (0,3) + (0,2) 



X 

x 3 
-y 3 

x 

-y4 
x 

-y s 
x 

-y 6 
x 

-y 7 

00. 



(3 x 0 - 1) x 4 

1-0-0 

1 x (1 - 0) + 2 

(2-2)xl 

0-1-0 

0 x (4 - 0) + 2 

(3 - 2) x 4 
16-4-0 
4 x (2 - 0) + 2 

(0 - 2) x 3 
16-2-0 
4 x (4 - 0) + 2 

(2 - 2) x 4 

0- 4-0 

0 x (1 - 0) + 2 

(3 - 2) x 1 

1- 1-0 

1 x (0 - 0) + 2 



1 (mod 5), 
(mod 5), 
(mod 5), 



1 
3 

0 
4 

2 



(mod 5), 
(mod 5), 
(mod 5), 



4 (mod 5), 

2 (mod 5), 
0 (mod 5), 

4 (mod 5), 

4 (mod 5), 

3 (mod 5), 

0 (mod 5), 

1 (mod 5), 

2 (mod 5), 

1 (mod 5), 
0 (mod 5), 

2 (mod 5), 



A practical technique for computing the order of an elliptic group modulo p for 
large p is discussed in AX Lenstra and H.W. Lenstra, Jnr., "Algorithms in Number 
30 Theory", University of Chicago, Department of Computer Science, Technical Report 
#87-008, 1987. Two particular cases using the technique are discussed in DM. 
Bressoud, Factorisation and Primality Testing, Springer-Verlag, New York, 1989 and are 
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as Mows, m equations for the orders used in the two cases were proved by a 
mathematician, Andre Weil in 1952. 



Inlhefim case, if pis an ordinary prime which is congruent to 1 modulo 4 ris 
5 a complex prime that divides p and is congruent to 1 modulo 2 + 2i, and D is any integer 
not divisible by p then the order of E>(-D,0) is 

|E J> (-D,0)|=p + i-^ r .^; (18) 

where (x|r) 4 is the fourth power symbol and? is the conjugate of the complex integer r. 

For example, if p = 13 and r = 3 + 2i, then 
10 |E, 3 (-1,0)| =14-(lX3 + 2i)-(lX3-2i) = 8 
1^(1,0) | = 14 - (-lX3+2i) - (-1X3 - 2i) = 20 
|E,3(-2,0)| =14-(iX3 + 2i)-(-iX3-2i)=18 
1^3(2,0)1 =14-(-iX3 + 2i)-OX3-2i) = 10 

15 In the second case, if p is an ordinary prime which is congruent to 1 modulo 3 

r as a cubic prime that divides p and is congruent to 2 modulo 3 and D is any integer not' 
divisible by p then the order of E^0,D) is 

W=p + i + (^ r + ^ r - (19) 

where (x |r) 4 is the sixth power symbol and 7 is the conjugate of the cubic integer r. 



20 



For example, if p = 13 and r = -4 - 3co, where o = e**, then 

|E„(0,1) | = 14 + - 3©) + (o>X-l + 3o>) = 12 

IF^O- 2 ) I = 14 + (-1X-4 - 3to) + (-1X-1 + 3o>) = 19 

1^(0,3) | = 14 + (l X -4 - 3o>) + (1 X -1 + 3<d) = 9 

1^(0,4) | = 14 + (oiX-4 - 3(d) + (tp^-i + 3q)) = 21 

25 1^0^)1 =14 + (-a, J K-4-3a,) + (- 0 ,X-l + 3o,) = 16 

|E,3(0,6)| = 14 + (-a,X-4 - 3a>) + (-co^-l + 3a>) = 7 
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It has also been shown that for every elliptic curve of Equation 11 

|E p (a*)| = p * 1 ♦ c, where jet ] ^ (20) 
The above illustrates that the order of the group E^(a,b) can be determined. 

For the group Ep(a,b), the Mowing applies 

(Wi) # {P+l*«l (mod p) = co (21) 

5 and therefore 

(x i9 j x ) # {m (p+l+a) ± 1} (mod p) = (x p ± yi ) (22) 

where m is an arbitrary integer. Equation 22 includes a ± value as the group E p (a,b) is 
symmetrical about « because 1 point past », (x } ,yd is obtained, whereas one point short 
of oo, (x^-yj is obtained, and only the plaintext x x is of interest. The tenn in { } of 
Equation 22 can be considered to be equal to e.d, where e constitutes an encryption key 
10 and d constitutes a decryption key. Therefore for encryption of a message or plaintext 
which has a value x 2 that is a coordinate of the point (x^yj on the elliptic curve, the 
following encryption operation can be performed 

OWtf 5 (Vi) # e ( mod P) (23) 

The ciphertext x e can then be decrypted using 

Mi) s Owtf # d (mod p) (24) 

Also to apply a digital signature to the plaintext the following operation is 
15 executed 

(Vd) s (x P y,) # d (mod p) (25) 

and then the signature can be validated by executing the following 

(Vi) s CwJ * c ( mod P) (26) 

Once the prime p is selected and the order of the group Ep(a,b) is known, e is 
randomly selected and d can be determined according to the Equation 22 from the 
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following 

cd s ±1 mod (p+l+o) (27) 
The same also applies for a group E,(a,b) based on another large prime q such 

that 

# (k (q+1+8) ♦ 1} (mod q) « (x,jr,) (28) 

where q + 1 + P is the order N, of the group E^b), k is an arbitrary integer, and J^J 
5 s2/q. 

The points on E.(a,b), where n = p. q , can each be represented uniquely by a pair 
of the points of E,(a,b) and E,(a,b), according to the Chinese Remainder Theorem (CRT) 
for modulo arithmetic, therefore the encryption and decryption schemes of Equations 23 
10 to 26 can be performed in modulo n, where n is made public and p and q are kept secret. 
Again, once e is selected d is then determined using 

fed = ± 1 mod (N,) (29) 

where N. - Np N, or N. = 1cm W can only be determined if p and q are known, 
which enables N p and N, to be determined as shown previously. 

15 Encryption and digital encryption schemes which use specific elliptic curve groups 

are discussed in K. Koyama, U.M. Maurer, T. Okamoto and S.A. Vanstone, "New 
Pubbc-Key Schemes based on Elliptic Curves over the Ring Zn", CRYPTO '91 
Abstracts, Santa Barbara, CA, pp. 6-1 to 6-7, 11-15 August, 1991. One of the schemes 
can be only used for digital signatures as both p and q need to be known to find a point 
20 on E.(a,b) which corresponds to the plaintext, because a square root modulo n needs to 
be found for z . f ( mo d n). Also the plaintext generally needs to be incremented to find 
a value of x, representing the plaintext, which gives a z that is a quadratic residue modulo 
n. This can be a time consuming process as many values may have to be tried before a 
valid value can be found. The signature used in the scheme is also approximately twice 
25 as long as the original plaintext or message data. For the encryption schemes proposed 
in the paper, only odd primes can be used for p and q which satisfy p ■ q ■ 2 (mod 3) 
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or p ■ q ■ 3 (mod 4). This restricts the orders of the groups used to p + 1 and q + 1, 
which cannot be changed Hie schemes do not allow for use of general elliptic groups 
Ep (a,b) and E^a,b) for which the order of these groups can be determined. Also both 
coordinates (x,y) need to be specified during the encryption process and sent to a 
5 receiver. This enables the sender and receiver to determine the curve on which the 
encryption process is operating, as the curve used is not the same for each message, 
because the constraints discussed above require a curve and message to be fitted to one 
another for each message. 

10 The preferred embodiment of the present invention provides a cryptographic 

method which fixes the curve used by allowing the plaintext x to represent a coordinate 
of a point (x,y) where y is indetenninant for the field of the curve for non-negative 
integer values of x. This first requires the creation and definition of a complimentary 
group, as discussed below, for the elliptic curve modulo p. 

15 

For the complimentary group, p is a prime, greater than 3, and again, a and b are 
chosen so that Equation 10 holds. The group is denoted by E^a,b) and its elements (x,y) 
satisfy Equation 11 but y is indetenninant for non-negative integer values of x. The 
indetenninant coordinate y is considered to be of the form y = u/v where u is a 
20 non-negative integer less than p and v is a fixed quadratic non-residue modulo p. The 
identity element * and the addition operation are identical to those described previously 
for the standard group Ep(a,b). 

In the complimentary group if P = (x 1>yi ) = (x„u/ v) and Q = fay J = feu/v) 
25 are two elements in the group, then R = (x 3 ,y 3 ) = (x^/v) is also in the group, i.e., 

(*i,yi) + (Wa) 5 (Vj) ( m °d P)> C30) 
where, if x x * x 2 (mod p), 

h fi [ — - f v - - (mod p) (31) 
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x, - Xj (mod p) (33) 



h * i^r~h} Xi " ^ " (mod P) * 02) 

or, if x, ■ x 2 and y, - -y 2 ( mo d p), 

h ^(^v^}* 1 -^(modp), (34) 

"His demonstrates the closure property of the group in that a point (x 3 , y3 ) in the group 
can be obtained from addition of two other points M and (x^ in the group, ft also 
can be shown that other group axioms hold for the complementary group. The order of 
the complementary group is given by 

where ( Z |p) is the Ugendre symbol and z * x* + ax + b (mod p). Equation 35 Mows 
because, for the complementary group, in addition to the point at infinity, for a given 
value of x: 

THere are two values of y that correspond to that value of x, if z is a quadratic 
non-residue modulo p; 

Tnere is one value of y that corresponds to that value of x, if z * 0 modulo p; and 
Tbere are no values of y that correspond to that value of x, if z is a quadratic 



1. 

2. 
3. 



residue. 



15 



If there are A values of x for which (zfp) = 1, B values of x for which (z|p) = 
0 and C values of x for which (z|p) = -1 then, since x must be one of p possible values, 
because there are only p values of x which produce unique values of z. 

A+B+C = p (3Q 

From Equations 16 and 20 
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|E p (a,b)| = l+ 2A+B = l + p + a, (37) 

2A + B = p + a (38) 

Consequently, from Equations 35, 36 and 38, 

|E^6)| = l+ 2C + B = l+ 2p-(2A + B) = l+ p- tt (39) 

Tliis establishes the order of the complementary group |E^a,b) | in terms of the 
parameters of the order of the standard group |E^(a,b) |. A similar expression also holds 
for another large prime q. An encryption method can therefore be established using a 
5 fixed curve and obtaining points on the curve which may be in, for modulo n operations, 
one of four pairs of groups, the standard groups for both p and q, the complimentary 
groups for both p and q, the standard group for p and the complimentary group for q, or 
the standard group for q and the complimentary group for p. The two primes, p and q 
are randomly selected, together with parameters a and b which define the elliptic curve. 
10 The arithmetic modulus n = p.q is calculated, gcd (4a 3 + 27b 2 , n) = 1 is checked, and the 
order of the groups for primes p and q are as follows |E>(a,b)| = 1+p+a, |E^a,b)| = 
1+p-a, |E,(a,b)| = 1+q+p and |E q (a,b)| = 1+q-p. Hie orders of these groups can then 
be calculated as discussed previously. Hie plaintext is represented by x and s represents 
the ciphertcxt, where 0 s x, s s n-1. 

15 

Encryption is performed according to the following 

(M) - (x^)#e (mod ft) (40) 

and decryption is performed by 

fey) s fcOSdj (mod n) (41) 

where 

fcdj * ± i (mod Nj), i = 1 to 4, (42) 



gcd(e, ti) = 1, i = 1 to 4, 



(43) 
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N, « lcm(p + l + o f q + l+p) if = 1 and j^j = 1, (44) 

N 2 = lcm<p*l + «, q+l- P ) if [jj - 1 and £J * 1, (45) 

N, = lcm<p + l-«, q + l+P) if ^ j # l and ^ j = l (46) 

N 4 * lcmfo+l-a, q + l-p) if , l and JZj „ lf (47) 



z s + « + b (mod n), (48) 
y = Ji (mod n), (49) 
w s s 3 + as + b (mod n), and (SO) 

t = y/w (mod n). (51) 

The values of N, arc determined by finding the lowest common multiple (1cm) 
of the orders of the respective p and q groups. The encryption key e is randomly selected 
with the only qualification that the greatest common denominator of e and N, is 1 He 
parameter n, a, b and the encryption key e are made available to the public so that any 
5 plamtext x can be encrypted, whereas the decryption keys d, and the primes p and q are 
kept secret. The ciphertext s can only be decrypted by first using the Legendre symbols 
(w|p) and (w|q) ,o determine which pair of groups the ciphertext (s,t) is a member 
Once this is detennined, the appropriate N, can be m*d to determine the correct 
encryption key dj to be used which is derived using c.dj ■ ±1 (mod NJ. 

If P, q, a and b are chosen so that a = p = 0 in Equations 44 to 47, then K = lem 
(p+l.q+1) is constant for all i = 1 to 4. Consequently only one value of d, neecL to be 
calculated and decryption is independent of Legendre symbols (w|p) and (w|q) 
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The decryption time can be reduced, by a factor of approximately 4, by 
performing the operation of Equation 41 in modulo p and modulo q and then combining 
the results using the Chinese Remainder Theorem. 

The security of the scheme relies primarily on the inherent difficulty in factoring 
p and q from n which are required to derive appropriate decryption keys dj, but the 
security is also enhanced by the fact that it is difficult to determine where the point (s,t) 
is on the elliptic curve and to which group it belongs because only the first coordinate 
s is calculated and transmitted. 

Computation of the second coordinates y and t can also be avoided using the 
doubling algorithms discussed in DM. Bressoud, Factorisation and Primality Testing, 
Springer- Verlag, New York, 1989. The algorithms are as follows. 



15 In the elliptic group E/a,b) (or Efab)), let foyj - (x,y)#i (mod p). If y i * 0 

(mod p), then 

(x? - a) 2 - 8bx, 

hi B -h— 2 1 (mod p) (52) 

4(Xi 3 ♦ ax, + b) 

In addition, if Xj * x^, and x * 0 (mod p), then 

Equation 53 cannot be used if x ■ 0 modulo p (or q). However, the equation can be 
rearranged to give 

. , 4b . 2 (a - x i x i , ! )(x i + x^,) 

*2M ; * (mod p) (54) 



20 



which is valid for all 0 s x s p-1 (and consequently for all 0 s x * n-1 when 
computations are performed modulo n). TTie Equations 52 to 54 do not determine all of 
the points within an elliptic group but enable a sufficient number of the points to be 
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derivcd to obtain the coordinate s dictated by the encryption key c. 

It can be shown that x, is never congruent to x*, modulo p (or q) during the 
course of computing s - x, modulo n, as given by Equation 40. Similarly s, is never 
5 congruent to s*, modulo p (or q) during the course of computing Equation 41. However 
it is possible (although extremely unlikely) that y, may become congruent to 0 modulo 
P (or q) during the course of computations and therefore for Equation 52 to become 
undefined. However, homogeneous coordinates can be used which enable division to be 
avoided until the final stage of the encryption or decryption procedure. 

Homogeneous coordinates are formed by setting x - X/Z (mod p) and y . Y/Z 
(mod p). If fca) ■ (Xj/Z,, Yj/Zj) a (X/Z, Y/Zm (mod p), Equations 52 and 54 can be 
restated in the following form using modulo n arithmetic. 



10 



Xj, * (X? - aZ,V - SbXjZ/ (mod n) 



(55) 



Za^Otf + aX i Z 1 2 + bZ l 3 )(modn) (56) 



« ♦ 2(aZ^ + X^,)^ ♦ 
-^.i -X^Z/Onoda) 



^♦i E ZCXjZ,.! - X^zp 1 (mod n) 



(57) 



(58) 



Using the homogeneous coordinate notation discussed above, the encryption and 
15 decryption procedures can be restated as follows 

8 s *. a XJZ, (mod n) (59) 

where X = x and Z = 1, and 

x s 8<a s SJZ a (mod n) ^ 
where S = s,Z = landd j isas defined by Equations 42 to 51. 



CBCryption method can be equally applied to producing digital 
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signatures by using the decryption key 4 to produce the signatures as follows 

* s V 2 * (mod n) (61) 

where X = x is the message or plaintext, Z = 1 and dj is as defined by Equations 42 to 
51 with z ■ x 3 + ax + b (mod n) replacing w in Equations 44 to 47. 

5 Signature verification is performed by computing: 

x = SJZ t (mod n) (62) 

where S = s and Z = 1. 

Hie cryptographic method discussed above can also be applied to other number 
systems, such as Lucas sequences, that can be divided into similar pairs of cyclic groups 
10 where operations can be performed on the members of a pair of groups so as to generate 
members of the pair of groups from one member, including the initially selected member. 

Hie cryptographic method discussed above has a number of significant advantages 
over previous methods, such as: 
15 (i) TTie method can be used for both digital signature and encryption applications, 
(ii) Hie message data does not need to be extended, ix., the ciphertext and the 

plaintext are the same bit length, 
(in) Only the first coordinates of points on the elliptic curve need to be determined. 

(iv) Hie method can be used for any values of p and q, greater than 3, and any values 
20 of a and b for which the order of the elliptic groups can be determined, provided 

gcd (4a 3 + 27b 2 , n) = 1. 

(v) The parameters a and b remain fixed and are publicly known, therefore they do 
not have to be determined or calculated at either the sending or receiving 
terminals. 

25 (vi) Hie method appears to be immune from homomorphic attack, Le., new signatures 
cannot be created from a database of previously used signatures, one reason being 
that the second coordinate of the points on the elliptic curve are never calculated 
and it is difficult to add the first coordinates of two arbitrary points without 
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knowing the corresponding second coordinates. Second coordinates can only be 
determined if p and q are known. 
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CLAIMS: 

1. A cryptographic method including: 

selecting secret keys p and q, being prime numbers greater than 3; 
5 selecting public parameters for a series of data values which belong to one of a 

plurality of pairs of groups whereby any one of said data values in one of said pairs of 
groups is recovered by performing an operation kN s + 1 times modulo n beginning with 
said any one of said data values, where k is an integer, Nj is the order of the ith pair of 
groups and n = p.q; 

10 selecting a public encryption key e which is a factor of kNj + 1 for all i; and 

processing communications data as a member of one of said pairs of groups by 
performing said operation on said communications data, whereby the order N s of the pair 
of groups i that said communications data belongs to can be determined on the basis of 
p and q, and a secret decryption key dj can be determined using e.dj = kNj + 1. 

15 

2. A cryptographic method as claimed in claim 1, including encrypting message data 
having a data value x to obtain ciphertext s by performing said operation e times on x. 

3. A cryptographic method as claimed in claim 1, including decrypting ciphertext 
20 having a data value s by determining which one of said pairs of groups s belongs to and 

N; and dj for said one of said pairs of groups on the basis of e, p, q and said public 
parameters, and performing said operation dj times on s. 

4. A cryptographic method as claimed in claim 1, including obtaining a digital 
25 signature, on message data having a data value x by determining which one of said pairs 

of groups x belongs to and N, and dj for said one of said pairs of groups on the basis of 
e, p and q and said public parameters, and performing said operation times on x. 

5. A cryptographic method as claimed in claim 1, including verifying a digital 
30 signature having a data value s by performing said operation e times to obtain plaintext. 

6. A cryptographic method as claimed in claim 3, wherein only said ciphertext s, 



i 
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said public parameters and p and q are required to determine said one of said pairs of 
groups. 



7. A cryptographic method as claimed in claim 4, wherein only said message data 
5 x, said public parameters and p and q are required to determine said one of said pairs of 

groups. 

8. A cryptographic method as claimed in claim 1, wherein said pairs of groups 
include complementary groups which include indeterminate data values 

10 

9. A cryptographic method as claimed in claim 1, wherein said parameters are 
parameters of curve and said data values represent points on said curve. 



15 



10. A cryptographic method as claimed in claim 9, wherein said curve is elliptic. 

11. A cryptographic method as claimed in claim 10, wherein said curve includes said 
points (x,y) such that 

y 2 = x 3 + ax + b (mod n) 

where a and b are said public parameters and gcd (4a 3 + 27b 2 , n) = 1, and said data 
values represent x coordinates. 

20 

12. A cryptographic method as claimed m claim 11, wherein said operation is a point 
multiplication on said curve denoted by the symbol #, such that 

fcy)# {kN, + 1} , (x^tcd, 3 (x.yXmodn) 



13 A cryptographic method as claimed in claim 12, wherein y may be indeterminate 
25 and«,ualu/v where u is an integer and vis a fixed quadratic non-residue. 

14- A cryptographic method as claimed in claim 13, wherein for a point (s,t) obtained 
by performing said operation on a point (x,y), (s,t) belongs to one of four of said pairs 
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of groups, i equal to 1, 2, 3 or 4, where 

e.d, ■ ±1 (mod N^, i = 1 to 4, 

gcd(e, N,) = 1, i = 1 to 4, 
N, = lcm(p+l+a, q+l+P) if ^ j = 1 and = 1, 

N 2 = lcm(p-<-l+c, q+l-p) tf (~) = 1 mi (^) * l ' 
Nj = lcmfe+l-a, q+l+P) if * 1 and |ij * 1 

N 4 = lcm(p+l-«, q+l-p) if * 1 and |-^J # 1, 

z = x 3 + ax + b (mod n), 

y ; /i (mod n), 
w s s 3 + as + b (mod n), and 

t s fit (mod n). 
a and p being constants such that |a| s 2/p and |{J| s 2/q and 

(fHf) 

being the Legendre symbol, whereby said one of said pairs of groups has an order N lf 
N 3 or N 4 and corresponding decryption key d„ dj, d 3 or d*, respectively. 

5 

IS. A cryptographic method as claimed in claim 14, including encrypting plaintext 
having a data value x to obtain ciphertext s by performing the following 
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(M) s (x,y)#e (mod n) 



16. A cryptographic method as claimed in claim 14, including decrypting ciphcrtcxt 
having a data value s to obtain plaintext x by performing the following 

(x,y) « (8,0#d, (mod n) 



17. A cryptographic method as claimed in claim 14, including obtaining a digital 
signature having data value s on plaintext x by performing the following 

CM) B fcyXfd, (mod n) 
and substituting z for w to determine Nj and d,. 

18. A cryptographic method as claimed in claim 14, including verifying a digital 
signature having a data value s to obtain plaintext x by performing the following 

fey) s (s,t)#e (mod n) 



19. A cryptographic method as claimed in claim 14, wherein x - X/Z (mod n) and y 
- Y/Z (mod n) and (x^ - (Xfo - (X/Z, Y/Z)#j (mod n), and points in said 
groups are obtained using the Mowing 

X* S (X/ - aZjV - SbXjZ/ (mod n) 
^^^(X/^aXjZ/^^^n) 



15 



^i £Z ^., -X^Z/Gnodn) 
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20. A cryptographic method as claimed in claim 19, including encrypting plaintext 
having a data value x to obtain ciphertext s using the following 

s s x e s XJZ t (mod n) 

where X = x and Z = 1. 

5 21. A cryptographic method as claimed in claim 19, including decrypting ciphertext 
having a data value s to obtain plaintext x using the following 

* s 2 (mod n) 

where S = s, Z = 1. 

22. A cryptographic method as claimed in claim 19, including generating a digital 
10 signature having a data value s from plaintext x using the following 

s s XJZx (mod n) 
where X = x, Z ■ 1 and to determine Nj and dj, z is substituted for w. 

23. A cryptographic method as claimed in claim 19, including verifying a digital 
signature having a data value s to obtain plaintext x by performing the following 

x s SJZ € (mod n) 

15 where S = s and Z = 1. 
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